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Cyber Polygon is an international online exercise prioritising 

joint response to cyberthreats and the improvement of business 
cooperation in the fight against cybercrime. Training sessions such 
as Cyber Polygon are not yet a common practice, so there is no 
single approach to its conduct. For the debut session the focus was 
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timely exchange of threat data between the participants. Based on 
these objectives, participants were asked to undertake the following: 


create a realistic training infrastructure and simulate the most 
common cyberattack scenarios; 


test independent response to incidents against that of cooperated 
response with other training participants; 


compare the results of the two approaches and assess the 
effectiveness of cooperation in repelling cyberattacks; 


use the results from Cyber Polygon 2019 to openly disseminate 
to the world community the knowledge and experience gained. 


24 countries 
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Strengthening cyber resilience is a critical factor primarily for the 
representatives of the industries that form the digital ecosystem. 
However, developing commonly accepted regulations is necessary 
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debut event focused on engaging the following sectors: 


financial services industry, being the driver of economic activity 
in the world; 


telecom providers, as the ‘creators’ of cyberspace which allows 
us to bring economic activity to a new dimension; 


cyber-oriented government agencies — global coordinators 
and advocates of the digital ecosystem. 


In 2019 among the participants involved in Cyber Polygon were 
Sberbank, New Development Bank, Department of Information and 
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of the largest telecom operators in Kazakhstan Transtelecom, and 
MTS — an advanced telecommunications company in Russia. 


Nameleli(elialemearcmecclialiacemiavagc\sitau(e1ielc-m (e/a @n\10\-1a ez0)\\6 (0 AIM WIeIS 

aa) eXe)a cael cone aleles\omiale\\ouci-1010 | ai nyacx@) [6 )N(0)a\omuar-lmyiVelelomelomiclaaliitcla 
to the participants. This would allow them to take part in the training 
without extraneous efforts or special preparation. Cyber Polygon 
partnered with IBM and Fortinet — the largest international tech 
giants whose solutions have been protecting companies around 
the world for many years. 


Cyber Polygon 
scenarios 


Cyber Polygon simulated several of the most common types 
of attacks on the participants’ training infrastructures. 

Three cyberattack scenarios were selected as relevant 

for organisations in any sector of the economy: 


- DDoS attack 
- Web application attack 
- Ransomware infection 


Each 
scenario — 
2 rounas 


~ Scenario 1. 
DDoS attack 


Internet connectivity is the backbone of any modern business. 

If the availability and stability of company information resources 

is disrupted in any way, it may cost the business its customers 

and lead to defamation and profit loss for its partners. For some 
cybercriminals, a DDoS attack is an attractive attack vector to pursue 
for financial extortion or to wage competitive warfare. 


As this type of threat is very real, questions arise around how to 

secure the sustainability of our digital economy. The problem is so 
critical that it has become self-evident that the only viable option to 
diminish its impact as best as possible would require a joint effort. 


$50 per day 


— the starting price of a DDOS attack' 
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~ Scenario 2. 


~ Web application 
attack 


The Open Web Application Security Project community has 
published that code injection has been the leading method of 
attacks on web applications since 2013. Embedding SQL code, 
or SQL Injection, is one of the varieties of such attacks aimed at 
manipulating site databases. 


A well-prepared attack allows cybercriminals to send requests to 
the web application database, bypassing all protective measures, 
and to gain access to part or all the information stored there: users: 
bankcard details, passwords and phone numbers, their addresses 
and much more. 


This scenario was a perfect choice to be included in the line-up of 
exercises due to the prevalence and potential reach of SQL injections, 
as well as to the severity of their consequences. 





100,000 


websites breached daily? 


Scenario 3. 
Ransomware attack 


In 2017, WannaCry, Petya, and NotPetya ransomware epidemics 
forced the international community, even those not directly involved 
in cybersecurity, to talk about ransomware trojans. Once inside the 
system, this class of malware encrypts files and extorts a ransom 
to be paid before decrypting them. The average amount claimed is 
more than $1000. 


The popularity of phishing is only growing. A study done by 
Proofpoint in 2018, surveyed cybersecurity specialists and found that 
83% of them encountered this attack — that is 7% more than in 2017. 


A couple of seconds of encryption can translate into hundreds of 
thousands of dollars in damage, while such attack is relatively easy 
to implement. For this reason, such scenario was a conclusive 
choice for inclusion in the training exercises. 


81% 


ransomware victims are businesses 
and institutions, not private individuals? 
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Cyber Polygon 
raining flow 


The training started at 12:00 and lasted about 3.5 hours. During this 
time, the three cyberattack scenarios were executed according to the 
following rules: 


Each scenario was executed twice. 


In order to keep the situation as close as possible to real-life, the 
attacks were obfuscated by a stream of legitimate traffic that was 
in turn created by traffic generators. 


The duration of each scenario was set to last 1 hour to 
accommodate two rounds for each scenario as described above. 


The duration of each round lasted 30 minutes, regardless of the 
results and success. 


During the first round, each participant had to identify and mitigate 
the attack on their own. To stop the attack, the Blue Teams needed 

to apply a security policy on the necessary protection tool that would 
block IP addresses, Tiles with a specific checksum or other indicators 
of compromise (IoC) that distinguish a particular attack. The task was 
considered completed when the participant uploaded the correct loC 
in the team's personal account on the site cyberpolygon.com. 


During the second round, the teams submitted their loCs to the 
BI.ZONE ThreatVision platform. The attack was considered mitigated 
when the first participant to identify and block the attack loaded 

the correct IoC into the platform. Following this, the uploaded loCs 
were automatically transferred to the protection assets of the other 
participants and the attack ceased for everybody. 





iclusions 


The results of Cyber Polygon suggest the following conclusions: 


Training makes it quicker 


The second round of each scenario resulted in the participants taking 
considerably less time to detect and mitigate the attack compared 
to the fastest participants during the first round. This is partly due to 
the fact that after getting some practice in the first round, the teams 
better understood how to withstand the attacks. In the second 

round of the scenario, the only elements that were changed were 

the loC values, and not the attack logic itself, so the participants 
responded to the threat much faster. This confirms the effectiveness 
of practical training: teams improved their ability to mitigate attacks 
and immediately demonstrated progress all within a relatively short 
amount of time. 


Collaboration is the key 


Working with the data exchange platform yielded a remarkable 
decrease in the average time it took to respond to an attack. The 
best results from using the information sharing platform were 
obtained in the second scenario: compared to the first round of 
attacks on the web-based application, in the second round the 
response was 7 times faster. By exchanging data, the participants 
mitigated the attack in 2 minutes 31 seconds, as opposed to the 
longest independent response that took 24 minutes 24 seconds in 
the first round — the difference between the indicators was almost 
22 minutes with a total duration of the scenario set to 30 minutes. 





Competencies differ — uniting 
them is a must 


In some cases, the joint efforts made it possible to mitigate even 
those attacks that would otherwise have been missed. Thus, 
organization 3 could not cope with the first scenario on its own. 
However, in the second launch, the use of the platform and the 
efforts of other participants were enough to protect the organization. 
In a real situation, this would have saved a company from losses 
associated with its web resources being unavailable. 


Some threats are still almost irresistible 


The ransomweare infection turned out to be the most difficult 
scenario for the participants: only one company was able to mitigate 
the attack independently. Companies showed the best results in the 
web-based application attack. 


Relying on the results gathered from the first training we hope to 
convince the global community of the efficiency of such exercises 
and demonstrate the process of global collaboration as a whole, 
thus attracting more international participants to exercise their 
cybersecurity capabilities and contribute to our common goal, 
which is to combat global cybercrime. 





What's next? 


Cyber Polygon is a unique event that has been launched in 2019 

and brought together government and private sector representatives 
from different countries to develop skills for joint response 

to cybersecurity incidents. 


The training is organised on an annual basis — the next Cyber Polygon 
will be held on July 8, 2020. The technical part of the training takes 
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of participants of the exercise to be scaled at infinitum. 

Each training is accompanied by lectures, interviews and commentary 
by world experts — all this is live-streamed and can be followed from 
anywhere in the world. 


The adopted format of Cyber Polygon is believed to foster about a new 
approach to cyber exercises for the sake of benefiting the community 
at large. In the future, as more complex scenarios are developed, 
results of the training as well as the feedback of participants and 
partners will be further analysed to formulate concrete proposals 
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event or to learn more about Cyber Polygon, please contact: 
(o4"/ oF =18 8X0) he (eal) 0) 40 )aT= 





